|
|
Created:
10 years ago by Tanmay Vartak Modified:
9 years, 12 months ago CC:
connector-cr_google.com Visibility:
Public. |
DescriptionADFS Support for SharePoint Adaptor
Patch Set 1 #
Total comments: 30
Patch Set 2 : With code review comments and live authentication support #
Total comments: 18
Patch Set 3 : With code review comments on patch 2 #
Total comments: 47
Patch Set 4 : Discard this patch #Patch Set 5 : With code review comments and Authentication handler factory #
Total comments: 25
Patch Set 6 : With code review comments implemented #
Total comments: 69
Patch Set 7 : With code review comments and restructuring Authentication Handler #
Total comments: 17
MessagesTotal messages: 40
Just peeking, not looking at logic. ;-) John L https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... File src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java:36: // Wrapper class to provide basic SAML finctionality which can be used by Use javadoc, "finctionality" => "functionality", "diffrent" => "different", add a period. https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java:38: public class SAMLAuthenticationHandler implements AuthenticationHandler { "SamlAuthenticationHandler" https://codereview.appspot.com/83730043/diff/1/test/com/google/enterprise/ada... File test/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java (right): https://codereview.appspot.com/83730043/diff/1/test/com/google/enterprise/ada... test/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java:30: public class SAMLAuthenticationHandlerTest { "SamlAuthenticationHandlerTest"
Sign in to reply to this message.
https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:50: private final String login = "/_layouts/Authenticate.aspx"; I don't think we should hardcode this https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:103: stsendpoint = sts + "/adfs/services/trust/2005/usernamemixed"; I don't think you should hardcode this, what if I want different STS URL (e.g. SharePoint online) https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:115: requestProperties.put("Expect", "100-continue"); I guess you put it here because .NET does send this header by default, I would just drop it. https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:116: requestProperties.put("Connection", "Keep-Alive"); I would drop this https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:117: requestProperties.put("Content-Length", Integer.toString(saml.length())); I would move this to the SAMLAuthenticationHandler class https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:130: String url = endpoint + "/_trust"; not fan of the hardcoding again https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:144: requestProperties.put("User-Agent", "Mozilla/5.0 (compatible; " why do you think we need this - in my tests, this is not necessary https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:153: private String generateSAMLRequest() { At least & should be handled to avoid XML issues https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:166: = document.getElementsByTagName("t:RequestSecurityTokenResponse"); You are relying on the namespace alias to be always "t". You should use getElementsByTagNameNS() https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:170: return null; you should also throw an exception here and not return null https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:173: String token = getOuterXml(responseToken); I don't understand what this is for? Why don't you just run nodex.item(0).getTextContent() https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... File src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java:121: connection.addRequestProperty(key, connectionProperties.get(key)); I think content-length should be set here by default and not passed by the user.
Sign in to reply to this message.
Hi Ondra, Thanks for review. I have added my reply to some of your comments. Most of them I have implemented. I will upload a patch soon once we decide on approach to specify various properties. Regards, Tanmay https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:50: private final String login = "/_layouts/Authenticate.aspx"; /_layouts/Authenticate.aspx is part of regular claims processing. http://msdn.microsoft.com/en-us/library/hh147177(v=office.14).aspx#SPO_RA_Cla... Do you think we can have this as a default value? which can be overridden by either use of system.property or via adaptopr config.properties? On 2014/04/03 08:56:22, ondrejnovak wrote: > I don't think we should hardcode this https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:103: stsendpoint = sts + "/adfs/services/trust/2005/usernamemixed"; For SharePoint Online, we need to use little different implementation (need to refer different node to extract token). One question I have is, if we allow user to specify different endpoint here, that might not work with reqXML we have here. On 2014/04/03 08:56:22, ondrejnovak wrote: > I don't think you should hardcode this, what if I want different STS URL (e.g. > SharePoint online) https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:115: requestProperties.put("Expect", "100-continue"); removed. These settings were required if I want to use CookieManager object to grab cookie. But I changed implementation. On 2014/04/03 08:56:22, ondrejnovak wrote: > I guess you put it here because .NET does send this header by default, I would > just drop it. https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:116: requestProperties.put("Connection", "Keep-Alive"); Done. On 2014/04/03 08:56:22, ondrejnovak wrote: > I would drop this https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:117: requestProperties.put("Content-Length", Integer.toString(saml.length())); Done On 2014/04/03 08:56:22, ondrejnovak wrote: > I would move this to the SAMLAuthenticationHandler class https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:130: String url = endpoint + "/_trust"; Again this was specific to ADFS implementation. But we can override it. On 2014/04/03 08:56:22, ondrejnovak wrote: > not fan of the hardcoding again https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:144: requestProperties.put("User-Agent", "Mozilla/5.0 (compatible; " Again due to CookieManager object. Removed. On 2014/04/03 08:56:22, ondrejnovak wrote: > why do you think we need this - in my tests, this is not necessary https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:153: private String generateSAMLRequest() { I have updated reqXML to use CDATA to escape any special characters in username and password. On 2014/04/03 08:56:22, ondrejnovak wrote: > At least & should be handled to avoid XML issues https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:166: = document.getElementsByTagName("t:RequestSecurityTokenResponse"); Done. On 2014/04/03 08:56:22, ondrejnovak wrote: > You are relying on the namespace alias to be always "t". You should use > getElementsByTagNameNS() https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:170: return null; Done. On 2014/04/03 08:56:22, ondrejnovak wrote: > you should also throw an exception here and not return null https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:173: String token = getOuterXml(responseToken); getTextContent() gets the text value for XML node. So it is skipping all XML tags. Also we need entire "RequestSecurityTokenResponse" XML including "<t:RequestSecurityTokenResponse>" and "</t:RequestSecurityTokenResponse>" Do we have anything in JAVA like in .NET XmlNode.OuterXml? On 2014/04/03 08:56:22, ondrejnovak wrote: > I don't understand what this is for? Why don't you just run > nodex.item(0).getTextContent() https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... File src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java:36: // Wrapper class to provide basic SAML finctionality which can be used by On 2014/04/02 21:47:14, John L wrote: > Use javadoc, "finctionality" => "functionality", "diffrent" => "different", add > a period. Done. https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java:38: public class SAMLAuthenticationHandler implements AuthenticationHandler { On 2014/04/02 21:47:14, John L wrote: > "SamlAuthenticationHandler" Done. https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap... src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java:121: connection.addRequestProperty(key, connectionProperties.get(key)); Done On 2014/04/03 08:56:22, ondrejnovak wrote: > I think content-length should be set here by default and not passed by the user. https://codereview.appspot.com/83730043/diff/1/test/com/google/enterprise/ada... File test/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java (right): https://codereview.appspot.com/83730043/diff/1/test/com/google/enterprise/ada... test/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java:30: public class SAMLAuthenticationHandlerTest { On 2014/04/02 21:47:14, John L wrote: > "SamlAuthenticationHandlerTest" Done.
Sign in to reply to this message.
I think keeping these as default with the option to override it in adaptor-config.properties would be best. Thanks Ondra On Thu, Apr 10, 2014 at 7:26 PM, <tvartak@google.com> wrote: > Hi Ondra, > > Thanks for review. I have added my reply to some of your comments. Most > of them I have implemented. I will upload a patch soon once we decide on > approach to specify various properties. > > Regards, > Tanmay > > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java > File > src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java > (right): > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode50 > src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:50: > private final String login = "/_layouts/Authenticate.aspx"; > /_layouts/Authenticate.aspx is part of regular claims processing. > http://msdn.microsoft.com/en-us/library/hh147177(v=office. > 14).aspx#SPO_RA_ClaimsSequence > > Do you think we can have this as a default value? which can be > overridden by either use of system.property or via adaptopr > config.properties? > On 2014/04/03 08:56:22, ondrejnovak wrote: > >> I don't think we should hardcode this >> > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode103 > src/com/google/enterprise/adaptor/sharepoint/ > AdfsHandshakeManager.java:103: > stsendpoint = sts + "/adfs/services/trust/2005/usernamemixed"; > For SharePoint Online, we need to use little different implementation > (need to refer different node to extract token). > > One question I have is, if we allow user to specify different endpoint > here, that might not work with reqXML we have here. > On 2014/04/03 08:56:22, ondrejnovak wrote: > >> I don't think you should hardcode this, what if I want different STS >> > URL (e.g. > >> SharePoint online) >> > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode115 > src/com/google/enterprise/adaptor/sharepoint/ > AdfsHandshakeManager.java:115: > requestProperties.put("Expect", "100-continue"); > removed. These settings were required if I want to use CookieManager > object to grab cookie. But I changed implementation. > On 2014/04/03 08:56:22, ondrejnovak wrote: > >> I guess you put it here because .NET does send this header by default, >> > I would > >> just drop it. >> > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode116 > src/com/google/enterprise/adaptor/sharepoint/ > AdfsHandshakeManager.java:116: > requestProperties.put("Connection", "Keep-Alive"); > Done. > On 2014/04/03 08:56:22, ondrejnovak wrote: > >> I would drop this >> > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode117 > src/com/google/enterprise/adaptor/sharepoint/ > AdfsHandshakeManager.java:117: > requestProperties.put("Content-Length", > Integer.toString(saml.length())); > Done > On 2014/04/03 08:56:22, ondrejnovak wrote: > >> I would move this to the SAMLAuthenticationHandler class >> > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode130 > src/com/google/enterprise/adaptor/sharepoint/ > AdfsHandshakeManager.java:130: > String url = endpoint + "/_trust"; > Again this was specific to ADFS implementation. But we can override it. > On 2014/04/03 08:56:22, ondrejnovak wrote: > >> not fan of the hardcoding again >> > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode144 > src/com/google/enterprise/adaptor/sharepoint/ > AdfsHandshakeManager.java:144: > requestProperties.put("User-Agent", "Mozilla/5.0 (compatible; " > Again due to CookieManager object. Removed. > On 2014/04/03 08:56:22, ondrejnovak wrote: > >> why do you think we need this - in my tests, this is not necessary >> > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode153 > src/com/google/enterprise/adaptor/sharepoint/ > AdfsHandshakeManager.java:153: > private String generateSAMLRequest() { > I have updated reqXML to use CDATA to escape any special characters in > username and password. > On 2014/04/03 08:56:22, ondrejnovak wrote: > >> At least & should be handled to avoid XML issues >> > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode166 > src/com/google/enterprise/adaptor/sharepoint/ > AdfsHandshakeManager.java:166: > = document.getElementsByTagName("t:RequestSecurityTokenResponse"); > Done. > On 2014/04/03 08:56:22, ondrejnovak wrote: > >> You are relying on the namespace alias to be always "t". You should >> > use > >> getElementsByTagNameNS() >> > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode170 > src/com/google/enterprise/adaptor/sharepoint/ > AdfsHandshakeManager.java:170: > return null; > Done. > On 2014/04/03 08:56:22, ondrejnovak wrote: > >> you should also throw an exception here and not return null >> > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode173 > src/com/google/enterprise/adaptor/sharepoint/ > AdfsHandshakeManager.java:173: > String token = getOuterXml(responseToken); > getTextContent() gets the text value for XML node. So it is skipping all > XML tags. Also we need entire "RequestSecurityTokenResponse" XML > including "<t:RequestSecurityTokenResponse>" and > "</t:RequestSecurityTokenResponse>" > > Do we have anything in JAVA like in .NET XmlNode.OuterXml? > On 2014/04/03 08:56:22, ondrejnovak wrote: > >> I don't understand what this is for? Why don't you just run >> nodex.item(0).getTextContent() >> > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java > File > src/com/google/enterprise/adaptor/sharepoint/ > SAMLAuthenticationHandler.java > (right): > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. > java#newcode36 > src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. > java:36: > // Wrapper class to provide basic SAML finctionality which can be used > by > On 2014/04/02 21:47:14, John L wrote: > >> Use javadoc, "finctionality" => "functionality", "diffrent" => >> > "different", add > >> a period. >> > > Done. > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. > java#newcode38 > src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. > java:38: > public class SAMLAuthenticationHandler implements AuthenticationHandler > { > On 2014/04/02 21:47:14, John L wrote: > >> "SamlAuthenticationHandler" >> > > Done. > > https://codereview.appspot.com/83730043/diff/1/src/com/ > google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. > java#newcode121 > src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. > java:121: > connection.addRequestProperty(key, connectionProperties.get(key)); > Done > On 2014/04/03 08:56:22, ondrejnovak wrote: > >> I think content-length should be set here by default and not passed by >> > the user. > > https://codereview.appspot.com/83730043/diff/1/test/com/ > google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java > File > test/com/google/enterprise/adaptor/sharepoint/ > SAMLAuthenticationHandlerTest.java > (right): > > https://codereview.appspot.com/83730043/diff/1/test/com/ > google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest. > java#newcode30 > test/com/google/enterprise/adaptor/sharepoint/ > SAMLAuthenticationHandlerTest.java:30: > public class SAMLAuthenticationHandlerTest { > On 2014/04/02 21:47:14, John L wrote: > >> "SamlAuthenticationHandlerTest" >> > > Done. > > https://codereview.appspot.com/83730043/ >
Sign in to reply to this message.
+1 - technology's compounding interest - On Fri, Apr 11, 2014 at 4:25 AM, Ondrej Novak <ondrejnovak@google.com>wrote: > I think keeping these as default with the option to override it in > adaptor-config.properties would be best. > > Thanks > > Ondra > > > On Thu, Apr 10, 2014 at 7:26 PM, <tvartak@google.com> wrote: > >> Hi Ondra, >> >> Thanks for review. I have added my reply to some of your comments. Most >> of them I have implemented. I will upload a patch soon once we decide on >> approach to specify various properties. >> >> Regards, >> Tanmay >> >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java >> File >> src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java >> (right): >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode50 >> src/com/google/enterprise/adaptor/sharepoint/ >> AdfsHandshakeManager.java:50: >> private final String login = "/_layouts/Authenticate.aspx"; >> /_layouts/Authenticate.aspx is part of regular claims processing. >> http://msdn.microsoft.com/en-us/library/hh147177(v=office. >> 14).aspx#SPO_RA_ClaimsSequence >> >> Do you think we can have this as a default value? which can be >> overridden by either use of system.property or via adaptopr >> config.properties? >> On 2014/04/03 08:56:22, ondrejnovak wrote: >> >>> I don't think we should hardcode this >>> >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode103 >> src/com/google/enterprise/adaptor/sharepoint/ >> AdfsHandshakeManager.java:103: >> stsendpoint = sts + "/adfs/services/trust/2005/usernamemixed"; >> For SharePoint Online, we need to use little different implementation >> (need to refer different node to extract token). >> >> One question I have is, if we allow user to specify different endpoint >> here, that might not work with reqXML we have here. >> On 2014/04/03 08:56:22, ondrejnovak wrote: >> >>> I don't think you should hardcode this, what if I want different STS >>> >> URL (e.g. >> >>> SharePoint online) >>> >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode115 >> src/com/google/enterprise/adaptor/sharepoint/ >> AdfsHandshakeManager.java:115: >> requestProperties.put("Expect", "100-continue"); >> removed. These settings were required if I want to use CookieManager >> object to grab cookie. But I changed implementation. >> On 2014/04/03 08:56:22, ondrejnovak wrote: >> >>> I guess you put it here because .NET does send this header by default, >>> >> I would >> >>> just drop it. >>> >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode116 >> src/com/google/enterprise/adaptor/sharepoint/ >> AdfsHandshakeManager.java:116: >> requestProperties.put("Connection", "Keep-Alive"); >> Done. >> On 2014/04/03 08:56:22, ondrejnovak wrote: >> >>> I would drop this >>> >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode117 >> src/com/google/enterprise/adaptor/sharepoint/ >> AdfsHandshakeManager.java:117: >> requestProperties.put("Content-Length", >> Integer.toString(saml.length())); >> Done >> On 2014/04/03 08:56:22, ondrejnovak wrote: >> >>> I would move this to the SAMLAuthenticationHandler class >>> >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode130 >> src/com/google/enterprise/adaptor/sharepoint/ >> AdfsHandshakeManager.java:130: >> String url = endpoint + "/_trust"; >> Again this was specific to ADFS implementation. But we can override it. >> On 2014/04/03 08:56:22, ondrejnovak wrote: >> >>> not fan of the hardcoding again >>> >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode144 >> src/com/google/enterprise/adaptor/sharepoint/ >> AdfsHandshakeManager.java:144: >> requestProperties.put("User-Agent", "Mozilla/5.0 (compatible; " >> Again due to CookieManager object. Removed. >> On 2014/04/03 08:56:22, ondrejnovak wrote: >> >>> why do you think we need this - in my tests, this is not necessary >>> >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode153 >> src/com/google/enterprise/adaptor/sharepoint/ >> AdfsHandshakeManager.java:153: >> private String generateSAMLRequest() { >> I have updated reqXML to use CDATA to escape any special characters in >> username and password. >> On 2014/04/03 08:56:22, ondrejnovak wrote: >> >>> At least & should be handled to avoid XML issues >>> >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode166 >> src/com/google/enterprise/adaptor/sharepoint/ >> AdfsHandshakeManager.java:166: >> = document.getElementsByTagName("t:RequestSecurityTokenResponse"); >> Done. >> On 2014/04/03 08:56:22, ondrejnovak wrote: >> >>> You are relying on the namespace alias to be always "t". You should >>> >> use >> >>> getElementsByTagNameNS() >>> >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode170 >> src/com/google/enterprise/adaptor/sharepoint/ >> AdfsHandshakeManager.java:170: >> return null; >> Done. >> On 2014/04/03 08:56:22, ondrejnovak wrote: >> >>> you should also throw an exception here and not return null >>> >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode173 >> src/com/google/enterprise/adaptor/sharepoint/ >> AdfsHandshakeManager.java:173: >> String token = getOuterXml(responseToken); >> getTextContent() gets the text value for XML node. So it is skipping all >> XML tags. Also we need entire "RequestSecurityTokenResponse" XML >> including "<t:RequestSecurityTokenResponse>" and >> "</t:RequestSecurityTokenResponse>" >> >> Do we have anything in JAVA like in .NET XmlNode.OuterXml? >> On 2014/04/03 08:56:22, ondrejnovak wrote: >> >>> I don't understand what this is for? Why don't you just run >>> nodex.item(0).getTextContent() >>> >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java >> File >> src/com/google/enterprise/adaptor/sharepoint/ >> SAMLAuthenticationHandler.java >> (right): >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. >> java#newcode36 >> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. >> java:36: >> // Wrapper class to provide basic SAML finctionality which can be used >> by >> On 2014/04/02 21:47:14, John L wrote: >> >>> Use javadoc, "finctionality" => "functionality", "diffrent" => >>> >> "different", add >> >>> a period. >>> >> >> Done. >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. >> java#newcode38 >> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. >> java:38: >> public class SAMLAuthenticationHandler implements AuthenticationHandler >> { >> On 2014/04/02 21:47:14, John L wrote: >> >>> "SamlAuthenticationHandler" >>> >> >> Done. >> >> https://codereview.appspot.com/83730043/diff/1/src/com/ >> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. >> java#newcode121 >> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. >> java:121: >> connection.addRequestProperty(key, connectionProperties.get(key)); >> Done >> On 2014/04/03 08:56:22, ondrejnovak wrote: >> >>> I think content-length should be set here by default and not passed by >>> >> the user. >> >> https://codereview.appspot.com/83730043/diff/1/test/com/ >> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java >> File >> test/com/google/enterprise/adaptor/sharepoint/ >> SAMLAuthenticationHandlerTest.java >> (right): >> >> https://codereview.appspot.com/83730043/diff/1/test/com/ >> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest. >> java#newcode30 >> test/com/google/enterprise/adaptor/sharepoint/ >> SAMLAuthenticationHandlerTest.java:30: >> public class SAMLAuthenticationHandlerTest { >> On 2014/04/02 21:47:14, John L wrote: >> >>> "SamlAuthenticationHandlerTest" >>> >> >> Done. >> >> https://codereview.appspot.com/83730043/ >> > >
Sign in to reply to this message.
Yes I have implemented same. New patch will be out by EOD On Fri, Apr 11, 2014 at 11:42 AM, PJ <pjo@google.com> wrote: > +1 > > > - technology's compounding interest > - > > > On Fri, Apr 11, 2014 at 4:25 AM, Ondrej Novak <ondrejnovak@google.com>wrote: > >> I think keeping these as default with the option to override it in >> adaptor-config.properties would be best. >> >> Thanks >> >> Ondra >> >> >> On Thu, Apr 10, 2014 at 7:26 PM, <tvartak@google.com> wrote: >> >>> Hi Ondra, >>> >>> Thanks for review. I have added my reply to some of your comments. Most >>> of them I have implemented. I will upload a patch soon once we decide on >>> approach to specify various properties. >>> >>> Regards, >>> Tanmay >>> >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java >>> File >>> src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java >>> (right): >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode50 >>> src/com/google/enterprise/adaptor/sharepoint/ >>> AdfsHandshakeManager.java:50: >>> private final String login = "/_layouts/Authenticate.aspx"; >>> /_layouts/Authenticate.aspx is part of regular claims processing. >>> http://msdn.microsoft.com/en-us/library/hh147177(v=office. >>> 14).aspx#SPO_RA_ClaimsSequence >>> >>> Do you think we can have this as a default value? which can be >>> overridden by either use of system.property or via adaptopr >>> config.properties? >>> On 2014/04/03 08:56:22, ondrejnovak wrote: >>> >>>> I don't think we should hardcode this >>>> >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java# >>> newcode103 >>> src/com/google/enterprise/adaptor/sharepoint/ >>> AdfsHandshakeManager.java:103: >>> stsendpoint = sts + "/adfs/services/trust/2005/usernamemixed"; >>> For SharePoint Online, we need to use little different implementation >>> (need to refer different node to extract token). >>> >>> One question I have is, if we allow user to specify different endpoint >>> here, that might not work with reqXML we have here. >>> On 2014/04/03 08:56:22, ondrejnovak wrote: >>> >>>> I don't think you should hardcode this, what if I want different STS >>>> >>> URL (e.g. >>> >>>> SharePoint online) >>>> >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java# >>> newcode115 >>> src/com/google/enterprise/adaptor/sharepoint/ >>> AdfsHandshakeManager.java:115: >>> requestProperties.put("Expect", "100-continue"); >>> removed. These settings were required if I want to use CookieManager >>> object to grab cookie. But I changed implementation. >>> On 2014/04/03 08:56:22, ondrejnovak wrote: >>> >>>> I guess you put it here because .NET does send this header by default, >>>> >>> I would >>> >>>> just drop it. >>>> >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java# >>> newcode116 >>> src/com/google/enterprise/adaptor/sharepoint/ >>> AdfsHandshakeManager.java:116: >>> requestProperties.put("Connection", "Keep-Alive"); >>> Done. >>> On 2014/04/03 08:56:22, ondrejnovak wrote: >>> >>>> I would drop this >>>> >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java# >>> newcode117 >>> src/com/google/enterprise/adaptor/sharepoint/ >>> AdfsHandshakeManager.java:117: >>> requestProperties.put("Content-Length", >>> Integer.toString(saml.length())); >>> Done >>> On 2014/04/03 08:56:22, ondrejnovak wrote: >>> >>>> I would move this to the SAMLAuthenticationHandler class >>>> >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java# >>> newcode130 >>> src/com/google/enterprise/adaptor/sharepoint/ >>> AdfsHandshakeManager.java:130: >>> String url = endpoint + "/_trust"; >>> Again this was specific to ADFS implementation. But we can override it. >>> On 2014/04/03 08:56:22, ondrejnovak wrote: >>> >>>> not fan of the hardcoding again >>>> >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java# >>> newcode144 >>> src/com/google/enterprise/adaptor/sharepoint/ >>> AdfsHandshakeManager.java:144: >>> requestProperties.put("User-Agent", "Mozilla/5.0 (compatible; " >>> Again due to CookieManager object. Removed. >>> On 2014/04/03 08:56:22, ondrejnovak wrote: >>> >>>> why do you think we need this - in my tests, this is not necessary >>>> >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java# >>> newcode153 >>> src/com/google/enterprise/adaptor/sharepoint/ >>> AdfsHandshakeManager.java:153: >>> private String generateSAMLRequest() { >>> I have updated reqXML to use CDATA to escape any special characters in >>> username and password. >>> On 2014/04/03 08:56:22, ondrejnovak wrote: >>> >>>> At least & should be handled to avoid XML issues >>>> >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java# >>> newcode166 >>> src/com/google/enterprise/adaptor/sharepoint/ >>> AdfsHandshakeManager.java:166: >>> = document.getElementsByTagName("t:RequestSecurityTokenResponse"); >>> Done. >>> On 2014/04/03 08:56:22, ondrejnovak wrote: >>> >>>> You are relying on the namespace alias to be always "t". You should >>>> >>> use >>> >>>> getElementsByTagNameNS() >>>> >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java# >>> newcode170 >>> src/com/google/enterprise/adaptor/sharepoint/ >>> AdfsHandshakeManager.java:170: >>> return null; >>> Done. >>> On 2014/04/03 08:56:22, ondrejnovak wrote: >>> >>>> you should also throw an exception here and not return null >>>> >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java# >>> newcode173 >>> src/com/google/enterprise/adaptor/sharepoint/ >>> AdfsHandshakeManager.java:173: >>> String token = getOuterXml(responseToken); >>> getTextContent() gets the text value for XML node. So it is skipping all >>> XML tags. Also we need entire "RequestSecurityTokenResponse" XML >>> including "<t:RequestSecurityTokenResponse>" and >>> "</t:RequestSecurityTokenResponse>" >>> >>> Do we have anything in JAVA like in .NET XmlNode.OuterXml? >>> On 2014/04/03 08:56:22, ondrejnovak wrote: >>> >>>> I don't understand what this is for? Why don't you just run >>>> nodex.item(0).getTextContent() >>>> >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java >>> File >>> src/com/google/enterprise/adaptor/sharepoint/ >>> SAMLAuthenticationHandler.java >>> (right): >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. >>> java#newcode36 >>> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. >>> java:36: >>> // Wrapper class to provide basic SAML finctionality which can be used >>> by >>> On 2014/04/02 21:47:14, John L wrote: >>> >>>> Use javadoc, "finctionality" => "functionality", "diffrent" => >>>> >>> "different", add >>> >>>> a period. >>>> >>> >>> Done. >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. >>> java#newcode38 >>> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. >>> java:38: >>> public class SAMLAuthenticationHandler implements AuthenticationHandler >>> { >>> On 2014/04/02 21:47:14, John L wrote: >>> >>>> "SamlAuthenticationHandler" >>>> >>> >>> Done. >>> >>> https://codereview.appspot.com/83730043/diff/1/src/com/ >>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. >>> java#newcode121 >>> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler. >>> java:121: >>> connection.addRequestProperty(key, connectionProperties.get(key)); >>> Done >>> On 2014/04/03 08:56:22, ondrejnovak wrote: >>> >>>> I think content-length should be set here by default and not passed by >>>> >>> the user. >>> >>> https://codereview.appspot.com/83730043/diff/1/test/com/ >>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java >>> File >>> test/com/google/enterprise/adaptor/sharepoint/ >>> SAMLAuthenticationHandlerTest.java >>> (right): >>> >>> https://codereview.appspot.com/83730043/diff/1/test/com/ >>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest. >>> java#newcode30 >>> test/com/google/enterprise/adaptor/sharepoint/ >>> SAMLAuthenticationHandlerTest.java:30: >>> public class SAMLAuthenticationHandlerTest { >>> On 2014/04/02 21:47:14, John L wrote: >>> >>>> "SamlAuthenticationHandlerTest" >>>> >>> >>> Done. >>> >>> https://codereview.appspot.com/83730043/ >>> >> >> >
Sign in to reply to this message.
With code review comments and live authentication support
Sign in to reply to this message.
Thank you. First quick pass for me. https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:49: public class AdfsHandshakeManager implements SAMLHandshakeManager{ space before left curly https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:59: final String trustLocation; not private? https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:185: private String generateSAMLRequest() { generateSamlRequest https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:190: .replace("[stsrealm]", stsrealm); not safe: (1) something has "]]>" in password (2) something has next key in password One suggestion, use a string builder and take care to subsitute cdata ending with "]]]]><![CDATA[>" https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:208: log.log(Level.FINE, "ADFS Authentication Token {0}", token); is it OK to print this? https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:210: } catch (Exception ex) { seems to generic https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:38: private static final String liveSts use capitals https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:40: private static final String liveLoginUrl use capitals https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:60: DEFAULT_COOKIE_TIMEOUT_SECONDS, "PASSWORD_MISMATCH"); 2 more spaces https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:174: if("".equals(value)) { space before left paren
Sign in to reply to this message.
With code review comments on patch 2
Sign in to reply to this message.
Implemented most of code review comments. https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:49: public class AdfsHandshakeManager implements SAMLHandshakeManager{ On 2014/04/12 00:45:35, pjo wrote: > space before left curly Done. https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:59: final String trustLocation; On 2014/04/12 00:45:35, pjo wrote: > not private? Done. https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:185: private String generateSAMLRequest() { On 2014/04/12 00:45:35, pjo wrote: > generateSamlRequest Done. https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:210: } catch (Exception ex) { On 2014/04/12 00:45:35, pjo wrote: > seems to generic Done. https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:38: private static final String liveSts On 2014/04/12 00:45:35, pjo wrote: > use capitals Done. https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:40: private static final String liveLoginUrl On 2014/04/12 00:45:35, pjo wrote: > use capitals Done. https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:60: DEFAULT_COOKIE_TIMEOUT_SECONDS, "PASSWORD_MISMATCH"); On 2014/04/12 00:45:35, pjo wrote: > 2 more spaces Done. https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:174: if("".equals(value)) { On 2014/04/12 00:45:35, pjo wrote: > space before left paren Done.
Sign in to reply to this message.
Hi PJ / Ondra, I want to introduce AuthenticationFactory object get appropriate authentication client, so that it will be easier to test SharePoint adaptor with new configurations. So you can continue your review for other changes or hold on your review. I will upload new patch. Regards, Tanmay https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java (right): https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:495: authenticationClient = new SharePointFormsAuthenticationHandler( I want to replace this with a Factory method to make writing unit tests easy.
Sign in to reply to this message.
Thank you. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:117: public Builder (String sharePointUrl, String username, s/r (/r(/ https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:144: public Builder setTrustLocation (String trustLocation) { s/n (/n(/ https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:150: return new AdfsHandshakeManager(sharePointUrl, username, is it ok if trustLocation or login are still null? https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:154: remove extra empty line https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:161: = new HashMap<String, String>(); r u sure this line would be over80? https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:164: "application/soap+xml; charset=utf-8"); ibid https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:176: + "&wctx=" + URLEncoder.encode(sharePointUrl + login,"UTF-8") should we check somewhere earlier that sharePointUrl ends with "/"? I'm not sure if it has to or not, just a thought. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:200: db = dbf.newDocumentBuilder(); combine last two lines https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:212: log.log(Level.FINER, "ADFS Authentication Token {0}", token); is it OK to log this value? is it sensitive? just asking. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:238: if(input == null) { space before ( https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:49: remove extra blank line https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:92: return new LiveAuthenticationHandshakeManager(sharePointUrl, username, should we check for "login" and stsendpoint being null? https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:124: log.log(Level.FINER, "Live Authentication Token {0}", token); is this a sensitive value that can be logged? https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:135: remove extra blank line https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:149: private final Map<String, List<String>> headers; i don't actually get what the comment is saying. what alternates? https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:153: this.contents = contents; check for nulls? https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:154: this.headers = headers; what do you think about making copy? not worth it because is only visible for testing? https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:162: return headers; return wrapped in unmodifiable? https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java (right): https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:449: config.addKey("sts.login", ""); add these to overview.html in source directory pls. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451: config.addKey("sharepoint.useLiveAuthentication", ""); also this one. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:509: } should we detect conflicts? as in someone provided enough info for multiple options? https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java (right): https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:198: config.addKey("sharepoint.useLiveAuthentication", ""); add to overview.html https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:263: password, scheduledExecutor, authenticationClient); this code section seems similar to the one in SPA. should it/can it be extracted out? https://codereview.appspot.com/83730043/diff/40001/test/com/google/enterprise... File test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java (right): https://codereview.appspot.com/83730043/diff/40001/test/com/google/enterprise... test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java:263: remove empty line.
Sign in to reply to this message.
essage=With code review comments and Authentication handler factory
Sign in to reply to this message.
On 2014/04/18 20:51:24, Tanmay Vartak wrote: > essage=With code review comments and Authentication handler factory something went wrong will upload new patch
Sign in to reply to this message.
With code review comments and Authentication handler factory
Sign in to reply to this message.
Implemented most of the code review comments https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:117: public Builder (String sharePointUrl, String username, On 2014/04/16 20:13:35, pjo wrote: > s/r (/r(/ Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:144: public Builder setTrustLocation (String trustLocation) { On 2014/04/16 20:13:35, pjo wrote: > s/n (/n(/ Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:150: return new AdfsHandshakeManager(sharePointUrl, username, On 2014/04/16 20:13:35, pjo wrote: > is it ok if trustLocation or login are still null? Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:154: On 2014/04/16 20:13:35, pjo wrote: > remove extra empty line Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:154: On 2014/04/16 20:13:35, pjo wrote: > remove extra empty line Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:161: = new HashMap<String, String>(); On 2014/04/16 20:13:35, pjo wrote: > r u sure this line would be over80? Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:176: + "&wctx=" + URLEncoder.encode(sharePointUrl + login,"UTF-8") I have changed implementation. Default values will work as expected while custom values in adaptor config.properties needs to be full Urls instead of relative urls. On 2014/04/16 20:13:35, pjo wrote: > should we check somewhere earlier that sharePointUrl ends with "/"? > > I'm not sure if it has to or not, just a thought. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:200: db = dbf.newDocumentBuilder(); On 2014/04/16 20:13:35, pjo wrote: > combine last two lines Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:212: log.log(Level.FINER, "ADFS Authentication Token {0}", token); This should be OK. There is no sensitive information. On 2014/04/16 20:13:35, pjo wrote: > is it OK to log this value? is it sensitive? > just asking. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:238: if(input == null) { On 2014/04/16 20:13:35, pjo wrote: > space before ( Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:92: return new LiveAuthenticationHandshakeManager(sharePointUrl, username, On 2014/04/16 20:13:35, pjo wrote: > should we check for "login" and stsendpoint being null? Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:124: log.log(Level.FINER, "Live Authentication Token {0}", token); Is OK. Not sensitive. On 2014/04/16 20:13:35, pjo wrote: > is this a sensitive value that can be logged? https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:135: On 2014/04/16 20:13:35, pjo wrote: > remove extra blank line Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:149: private final Map<String, List<String>> headers; My bad. Copied from SharePointAdaptor class. Not applicable removed. On 2014/04/16 20:13:35, pjo wrote: > i don't actually get what the comment is saying. > what alternates? https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:153: this.contents = contents; On 2014/04/16 20:13:35, pjo wrote: > check for nulls? Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:154: this.headers = headers; On 2014/04/16 20:13:35, pjo wrote: > what do you think about making copy? not worth it > because is only visible for testing? Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:162: return headers; On 2014/04/16 20:13:35, pjo wrote: > return wrapped in unmodifiable? Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java (right): https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:449: config.addKey("sts.login", ""); In diff code review CL, once we are OK with parameters and values On 2014/04/16 20:13:35, pjo wrote: > add these to overview.html in source directory pls. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451: config.addKey("sharepoint.useLiveAuthentication", ""); Yes On 2014/04/16 20:13:35, pjo wrote: > also this one. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:495: authenticationClient = new SharePointFormsAuthenticationHandler( On 2014/04/15 22:35:18, Tanmay Vartak wrote: > I want to replace this with a Factory method to make writing unit tests easy. Done. https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java (right): https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:198: config.addKey("sharepoint.useLiveAuthentication", ""); Yes in different CL On 2014/04/16 20:13:35, pjo wrote: > add to overview.html https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:263: password, scheduledExecutor, authenticationClient); Extracted out On 2014/04/16 20:13:35, pjo wrote: > this code section seems similar to the one in SPA. > should it/can it be extracted out?
Sign in to reply to this message.
Miguel, please review this SharePoint CL. Thank you
Sign in to reply to this message.
This CL seems to add support for Live authentication and ADFS authentication. Can you also expand on the description to give me an idea on what you need to do to add ADFS support. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:197: return String.format(reqXML, escapeXml(stsendpoint), escapeXml on escapes cdata. Can username and password contain "<" or "&" that require cdata escaping? https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:245: String escapeXml(String input) { The name escapeXml does not seem appropriate. This is just doing cdata escaping. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java (right): https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:489: String stsendpoint = config.getValue("sts.endpoint"); Same comments as SharePointUserProfileAdaptor.java. Also, there is a log of code duplication between here and SharePointUserProfileAdaptor.java. It seems like using a base class would be prudent. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java (right): https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:204: config.addKey("sharepoint.useLiveAuthentication", ""); So then shouldn't this be "false" by default instead of empty string. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:244: String stsendpoint = config.getValue("sts.endpoint"); You should log this at Level.CONFIG after reading the value. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:253: .newAdfsAuthentication(virtualServer, username, password, config); You only need stsendpoint for ADFS? What about "sts.realm", "sts.trustLocation" and "sts.login"? You're not reading or verifying those values. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:258: authenticationHandler = new FormsAuthenticationHandler(username, You should log some indicator of what authentication you're using.
Sign in to reply to this message.
Hi Miguel, Thanks for your code review. For your reference ADFS flow. (also applicable for Live authentication with minor variations). 1. ADFS is a SAML implentation by Microsoft. SharePoint can be configured to trust ADFS to authenticate a User and generating associated claims for User. 2. When User tries to access SharePoint secured with ADFS, user gets redirected to ADFS endpoint (STSENDPOINT). 3. ADFS will validate user credentials and if credentials are valid, it will return SAML authentication token which can be used to establish user identity by SharePoint. 4. For Adaptor, AdfsHandshakeManager will request SAML token from ADFS using HTTP post to configured STSENDPOINT. 5. In response, ADFS will return SAML Token. AdfsHandshakeManager will extract this token from response. 5. AdfsHandshakeManager will do another HTTP Post to trust location using extarcted token. 6. In response, SharePoint will include authentication cookies. 7. Authentication cookies will be used to make subsequent requests. 8. FormsAuthenticationHandler provides base framework to refresh authentication cookies on regular interval. 9. Process flow for Live authentication is almost same with variation in "token value" and "HTTP Post" for obtaining cookie. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:197: return String.format(reqXML, escapeXml(stsendpoint), We can call this wrapXml or wrapCdata is thats sounds OK. With CDATA we don't need to worry about any special chars such as & or <. Only thing that we need to escape is ']]>'. On 2014/04/21 18:12:20, mifern wrote: > escapeXml on escapes cdata. Can username and password contain "<" or "&" that > require cdata escaping? https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java (right): https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:489: String stsendpoint = config.getValue("sts.endpoint"); Initially when I started with User profile adaptor, myself and Eric discussed about having common base class but we decided to keep them separate for simplicity with side effect of duplicating code. We can still revisit that decision but I want to avoid it in this CL. On 2014/04/21 18:12:20, mifern wrote: > Same comments as SharePointUserProfileAdaptor.java. > > Also, there is a log of code duplication between here and > SharePointUserProfileAdaptor.java. It seems like using a base class would be > prudent.
Sign in to reply to this message.
On 2014/04/21 21:05:32, Tanmay Vartak wrote: > Hi Miguel, > > Thanks for your code review. > For your reference ADFS flow. (also applicable for Live authentication with > minor variations). > 1. ADFS is a SAML implentation by Microsoft. SharePoint can be configured to > trust ADFS to authenticate a User and generating associated claims for User. > 2. When User tries to access SharePoint secured with ADFS, user gets redirected > to ADFS endpoint (STSENDPOINT). > 3. ADFS will validate user credentials and if credentials are valid, it will > return SAML authentication token which can be used to establish user identity by > SharePoint. > 4. For Adaptor, AdfsHandshakeManager will request SAML token from ADFS using > HTTP post to configured STSENDPOINT. > 5. In response, ADFS will return SAML Token. AdfsHandshakeManager will extract > this token from response. > 5. AdfsHandshakeManager will do another HTTP Post to trust location using > extarcted token. > 6. In response, SharePoint will include authentication cookies. > 7. Authentication cookies will be used to make subsequent requests. > 8. FormsAuthenticationHandler provides base framework to refresh authentication > cookies on regular interval. > 9. Process flow for Live authentication is almost same with variation in "token > value" and "HTTP Post" for obtaining cookie. > > https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... > File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java > (right): > > https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... > src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:197: > return String.format(reqXML, escapeXml(stsendpoint), > We can call this wrapXml or wrapCdata is thats sounds OK. > > With CDATA we don't need to worry about any special chars such as & or <. Only > thing that we need to escape is ']]>'. > > On 2014/04/21 18:12:20, mifern wrote: > > escapeXml on escapes cdata. Can username and password contain "<" or "&" that > > require cdata escaping? > > https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... > File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java > (right): > > https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... > src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:489: String > stsendpoint = config.getValue("sts.endpoint"); > > Initially when I started with User profile adaptor, myself and Eric discussed > about having common base class but we decided to keep them separate for > simplicity with side effect of duplicating code. > > We can still revisit that decision but I want to avoid it in this CL. > > On 2014/04/21 18:12:20, mifern wrote: > > Same comments as SharePointUserProfileAdaptor.java. > > > > Also, there is a log of code duplication between here and > > SharePointUserProfileAdaptor.java. It seems like using a base class would be > > prudent. STSRELAM : This is an identifier used by ADFS to identify relying party (in this case particular SharePoint application).
Sign in to reply to this message.
https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:197: return String.format(reqXML, escapeXml(stsendpoint), escapeCdata sounds like a good compromise. On 2014/04/21 21:05:32, Tanmay Vartak wrote: > We can call this wrapXml or wrapCdata is thats sounds OK. > > With CDATA we don't need to worry about any special chars such as & or <. Only > thing that we need to escape is ']]>'. > > On 2014/04/21 18:12:20, mifern wrote: > > escapeXml on escapes cdata. Can username and password contain "<" or "&" that > > require cdata escaping? > https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactory.java (right): https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactory.java:28: String username, String password, Config config) throws IOException; Passing in a config does not seem like the right approach here. The adaptor should be reading the config values and validating them. https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise... File test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java (right): https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise... test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java:264: AdfsHandshakeManager manager = new AdfsHandshakeManager.Builder( You also need a test where you escape "<![CDATA[something]]>". https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise... test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java:267: assertEquals("<![CDATA[This is simple]]>", This test should include the two characters that are needed for cdata, "&" and "<". https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise... File test/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptorTest.java (right): https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise... test/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptorTest.java:233: ,authenticatioFactory); For consistency with the other tests, the comma should be on the previous line.
Sign in to reply to this message.
https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise... File test/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptorTest.java (right): https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise... test/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptorTest.java:80: private AuthenticationHandlerFactory authenticatioFactory "authenticatioFactory" => "authenticationFactory"
Sign in to reply to this message.
With code review comments implemented
Sign in to reply to this message.
https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:197: return String.format(reqXML, escapeXml(stsendpoint), On 2014/04/21 21:42:20, mifern wrote: > escapeCdata sounds like a good compromise. > > On 2014/04/21 21:05:32, Tanmay Vartak wrote: > > We can call this wrapXml or wrapCdata is thats sounds OK. > > > > With CDATA we don't need to worry about any special chars such as & or <. Only > > thing that we need to escape is ']]>'. > > > > On 2014/04/21 18:12:20, mifern wrote: > > > escapeXml on escapes cdata. Can username and password contain "<" or "&" > that > > > require cdata escaping? > > > Done. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:245: String escapeXml(String input) { On 2014/04/21 18:12:20, mifern wrote: > The name escapeXml does not seem appropriate. This is just doing cdata escaping. Done. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactory.java (right): https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactory.java:28: String username, String password, Config config) throws IOException; Done. Replaced with ADFS specific parameters. On 2014/04/21 21:42:20, mifern wrote: > Passing in a config does not seem like the right approach here. The adaptor > should be reading the config values and validating them. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... File src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java (right): https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:204: config.addKey("sharepoint.useLiveAuthentication", ""); On 2014/04/21 18:12:20, mifern wrote: > So then shouldn't this be "false" by default instead of empty string. Done. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:244: String stsendpoint = config.getValue("sts.endpoint"); On 2014/04/21 18:12:20, mifern wrote: > You should log this at Level.CONFIG after reading the value. Done. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:253: .newAdfsAuthentication(virtualServer, username, password, config); On 2014/04/21 18:12:20, mifern wrote: > You only need stsendpoint for ADFS? What about "sts.realm", "sts.trustLocation" > and "sts.login"? You're not reading or verifying those values. Done. https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:258: authenticationHandler = new FormsAuthenticationHandler(username, On 2014/04/21 18:12:20, mifern wrote: > You should log some indicator of what authentication you're using. Done. https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise... File test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java (right): https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise... test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java:264: AdfsHandshakeManager manager = new AdfsHandshakeManager.Builder( On 2014/04/21 21:42:20, mifern wrote: > You also need a test where you escape "<![CDATA[something]]>". Done. https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise... test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java:267: assertEquals("<![CDATA[This is simple]]>", On 2014/04/21 21:42:20, mifern wrote: > This test should include the two characters that are needed for cdata, "&" and > "<". Done. https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise... File test/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptorTest.java (right): https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise... test/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptorTest.java:80: private AuthenticationHandlerFactory authenticatioFactory On 2014/04/21 22:21:20, John L wrote: > "authenticatioFactory" => "authenticationFactory" Done.
Sign in to reply to this message.
A few comments. Thank you https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:247: return input; Does returning null make sense? How is that going to go into the string? Should it be fatal? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactory.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactory.java:22: public interface AuthenticationHandlerFactory { Please annotate class: # Can an authentication handler provided be reused? # Why do they take different amounts of parameters? # Are they thread safe? # Do they need to be cleaned up? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:36: implements AuthenticationHandlerFactory{ s/y{/y {/ https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:87: + "/_vti_bin/Authentication.asmx").toString(); one too much indent https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:452: // When running against ADFS authentication, set this to relam value. relam? is it a realm? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:453: config.addKey("sts.relam", ""); relam? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:457: config.addKey("sharepoint.useLiveAuthentication", "false"); The sequence of attempted authentications, the sequence of conditions and steps, will need to be carefully spelled out in documentation. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:479: String stsrelam = config.getValue("sts.relam"); if it is a realm then please change throughout https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:200: config.addKey("sts.relam", ""); realm? throughout
Sign in to reply to this message.
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:54: return URI.create(endpoint).toASCIIString(); So UNICODE characters will be replaced by ? and lost. That would mean the endpoint would be invalid then. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:57: private static URI spUrlToUri(String url) throws IOException { So you're assuming here that the url does not start with "http://"? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:57: private static URI spUrlToUri(String url) throws IOException { I don't understand this method. Why create a URI then split it then encode part of it and then put it back together. Wouldn't it be simpler to encode the part that needs to be encoded and then generate the URL? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:66: String host = parts[0] + "/" + parts[1] + "/" + parts[2]; You don't need the host variable. Just use: URI hostUri = URI.create(parts[0] + "/" + parts[1] + "/" + parts[2]); https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:67: if (sharePointUrl == null || username == null || password == null These should be precondition checks so that you get a better message if one of these is null. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:82: this.login = login; If login can't be null, then you should have a precondition check. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:87: this.stsendpoint = stsendpoint; If stsendpoint can't be null, then you should have a precondition check. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:92: if (Strings.isNullOrEmpty(stsendpoint) These check are not needed if handled above. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:141: String url = login; url local variable is not needed. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:147: String cookie = postResponse.getPostResponseHeaderField("Set-Cookie"); Just return, no need for cookie local variable. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:48: if (samlClient == null) { Precondition check? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:60: log.log(Level.WARNING, "Empty SAML Token."); What would cause an empty token? Is there an error code? What action can the user take? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:67: log.log(Level.FINE, "Authentication Cookie {0}", cookie); So it's OK to log the cookie but not the token? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:107: url = new URL(url.toURI().toASCIIString()); I don't think this is right. You could lose some characters. Maybe you to encode them using UTF-8. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:139: if (inputStream != null) { Can either the stream be null? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:499: AuthenticationHandler authenticationClient; You should log what authentication is being used. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:504: && !Strings.isNullOrEmpty(stsrelam)) { Just stsendpoint and stsrelam being non-empty is enough for ADFS? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:251: AuthenticationHandler authenticationClient; This like the same code as SharePointAdaptor.java just with more logging. Add the same logging to SharePointAdaptor.java.
Sign in to reply to this message.
Thank you https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:67: if (sharePointUrl == null || username == null || password == null On 2014/04/24 04:00:38, mifern wrote: > These should be precondition checks so that you get a better message if one of > these is null. Let's not do it in this CL. This project has been using == null and it's OK to stick to that nearby standard. If we want to change to Preconditions let's make a task and do it wholesale across the adaptor. Thank you
Sign in to reply to this message.
Some small nit picks from me, otherwise looks good https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:142: this.login = sharePointUrl + DEFAULT_LOGIN; Can you check, if this will this work when sharePointUrl ends with trailing slash? http://sp.example.com//_layouts/Authenticate.aspx" https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:170: Map<String, String> requestProperties = new HashMap<String, String>(); s/requestProperties/requestHeaders https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:188: Map<String, String> requestProperties = new HashMap<String, String>(); headers https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:212: = document.getElementsByTagNameNS("*","RequestSecurityTokenResponse"); why are you using * - you should use the exact namespace name https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:121: = document.getElementsByTagNameNS("*","BinarySecurityToken"); Why the asterisk? Why don't you use the exact namespace name. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:101: public PostResponseInfo issuePostRequest(URL url, Can you add logging of the whole HTTP request, response here https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:450: // When running against ADFS authentication, set this to ADFS endpoint. Can you add the defaults as comment here https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:198: // When running against ADFS authentication, set this to ADFS endpoint. Can you put here the defaults as comments
Sign in to reply to this message.
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451: config.addKey("sts.endpoint", ""); Should these new configuration values be prefixed with "sharepoint."? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:503: } else if (!Strings.isNullOrEmpty(stsendpoint) stsendpoint and stsrelam will never be null.
Sign in to reply to this message.
On 2014/04/25 20:58:43, ejona wrote: > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java > (right): > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451: > config.addKey("sts.endpoint", ""); > Should these new configuration values be prefixed with "sharepoint."? > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:503: } else > if (!Strings.isNullOrEmpty(stsendpoint) > stsendpoint and stsrelam will never be null. Hi Eric, Thanks for code review. Your help is really appreciated. Please give your feedback for entire code review. :) sts.endpoint is "Secure token service endpoint". This something outside the SharePoint. SharePoint just rely on STS Endpoint to authenticate user and provide necessary claims. sharepoint.endpoint will be confusing with SharePoint url. I will replace Strings.IsNullOrEmpty check with "".equals check. Regards, Tanmay
Sign in to reply to this message.
On 2014/04/25 09:19:32, ondrejnovak wrote: > Some small nit picks from me, otherwise looks good > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java > (right): > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:142: > this.login = sharePointUrl + DEFAULT_LOGIN; > Can you check, if this will this work when sharePointUrl ends with trailing > slash? > http://sp.example.com//_layouts/Authenticate.aspx%22 > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:170: > Map<String, String> requestProperties = new HashMap<String, String>(); > s/requestProperties/requestHeaders > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:188: > Map<String, String> requestProperties = new HashMap<String, String>(); > headers > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:212: = > document.getElementsByTagNameNS("*","RequestSecurityTokenResponse"); > why are you using * - you should use the exact namespace name > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > File > src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java > (right): > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:121: > = document.getElementsByTagNameNS("*","BinarySecurityToken"); > Why the asterisk? Why don't you use the exact namespace name. > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java > (right): > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:101: > public PostResponseInfo issuePostRequest(URL url, > Can you add logging of the whole HTTP request, response here > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java > (right): > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:450: // When > running against ADFS authentication, set this to ADFS endpoint. > Can you add the defaults as comment here > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > File > src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java > (right): > > https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... > src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:198: > // When running against ADFS authentication, set this to ADFS endpoint. > Can you put here the defaults as comments Hi Ondra, Thanks for review. I verified that double slash // works here even though chances of having // in url are low. During init, Adaptor will trim trailing '/'. So virtual server url will be without trailing slash. Only if you specify Virtual server url with 2 trailing slashes e.g. "http://sharepoint.exampl.com//" then we will generate login url as "http://sharepoint.exampl.com//_layouts/Authentication.aspx" and it works fine. Regards, Tanmay
Sign in to reply to this message.
I may find the time to give it a high-level look-over. Based on the email conversation, it seemed I would need to look at the code more to comment. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451: config.addKey("sts.endpoint", ""); On 2014/04/25 20:58:44, ejona wrote: > Should these new configuration values be prefixed with "sharepoint."? I was meaning "sharepoint.sts.endpoint". "sharepoint" would be there because that is the adaptor you are providing configuration for. I'm not certain you want the sharepoint there, but I would lean toward having it. Just something to consider.
Sign in to reply to this message.
After looking at body of FormsAuthenticationHandler it looks close to template method <http://en.wikipedia.org/wiki/Template_method_pattern> (without the subclass part). So, here is a proposal: # Keep FormsAuthenticationHandler # Remove FormsAuthenticationHandler.AuthenticationHandler # Add abstract `AuthenticationResult authenticate()' to FormsAuthenticationHandler # Make SamlAuthenticationHandler and SharePointFormsAuthenticationHandler subclass FormsAuthenticationHandler # Remove boolean isFormsAuthentication ()because the name makes refers to instance, not to SP server. Instead have start return or throw fact that server doens't support forms-authn and keep state in adaptor. Alternate proposal: # Rename AuthenticationHandler interface to AuthenticationClient # Continue to have FormsAuthencationHandler and have it accept instance of AuthencationClient # Remove boolean isFormsAuthentication()because the name makes refers to instance, not to SP server. Instead have start return or throw fact that server doens't support forms-authn and keep state in adaptor. The reason I'd like to make some changes is: # AuthnHandler and FormsAuthnHandler as names don't communicate their relationship # isFormsAuthentcation() makes it seem like it's about handler, but it really is about the SP server, and that's confusing Thank you very much, PJ - technology's compounding interest - On Fri, Apr 25, 2014 at 2:57 PM, <ejona@google.com> wrote: > I may find the time to give it a high-level look-over. Based on the > email conversation, it seemed I would need to look at the code more to > comment. > > > > https://codereview.appspot.com/83730043/diff/100001/src/ > com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java > File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java > (right): > > https://codereview.appspot.com/83730043/diff/100001/src/ > com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java#newcode451 > src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451: > config.addKey("sts.endpoint", ""); > On 2014/04/25 20:58:44, ejona wrote: > >> Should these new configuration values be prefixed with "sharepoint."? >> > > I was meaning "sharepoint.sts.endpoint". "sharepoint" would be there > because that is the adaptor you are providing configuration for. I'm not > certain you want the sharepoint there, but I would lean toward having > it. Just something to consider. > > https://codereview.appspot.com/83730043/ >
Sign in to reply to this message.
With code review comments and restructuring Authentication Handler
Sign in to reply to this message.
I have implemented most of the code review comments. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:142: this.login = sharePointUrl + DEFAULT_LOGIN; This works On 2014/04/25 09:19:33, ondrejnovak wrote: > Can you check, if this will this work when sharePointUrl ends with trailing > slash? > http://sp.example.com//_layouts/Authenticate.aspx%22 https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:170: Map<String, String> requestProperties = new HashMap<String, String>(); On 2014/04/25 09:19:33, ondrejnovak wrote: > s/requestProperties/requestHeaders Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:188: Map<String, String> requestProperties = new HashMap<String, String>(); On 2014/04/25 09:19:33, ondrejnovak wrote: > headers Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:212: = document.getElementsByTagNameNS("*","RequestSecurityTokenResponse"); Done. Should we fallback to * if default namespace "http://schemas.xmlsoap.org/ws/2005/02/trust" is not working? On 2014/04/25 09:19:33, ondrejnovak wrote: > why are you using * - you should use the exact namespace name https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:247: return input; Modified to return empty string. On 2014/04/24 00:20:23, pjo wrote: > Does returning null make sense? How is that going to go into the string? Should > it be fatal? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:54: return URI.create(endpoint).toASCIIString(); This piece of code is borrowed from existing SharePoint Adaptor code and works fine with Unicode characters. On 2014/04/24 04:00:38, mifern wrote: > So UNICODE characters will be replaced by ? and lost. That would mean the > endpoint would be invalid then. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:57: private static URI spUrlToUri(String url) throws IOException { Again this one taken from SharePoint Adaptor code. This works with https:// as well. In fact to use ADFS, SharePoint needs to be https:// Why are we doing this ? Consider following url, "https://sharepoint.example.com/sites/My Site Collection". In this url host "https://sharepoint.example.com" is properly encoded but path "/sites/My Site Collection" is not. So this method is creating host uri "https://sharepoint.example.com" and path uri "/sites/My%20Site%Collection" and get combine output as "https://sharepoint.example.com/sites/My%20Site%Collection". This conversion is more applicable for urls returned by SharePoint where host is already encode but path is not. See comment by Eric about SharePoint being silly here. :) I moved existing code from SharePoint Adaptor class to here so that it can be reused between SharePoint adaptor and user profile adaptor. We might need to revisit this code and some other places in Adaptor for Unicode handling as part of another CL. On 2014/04/24 04:00:38, mifern wrote: > So you're assuming here that the url does not start with "http://"? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:87: + "/_vti_bin/Authentication.asmx").toString(); On 2014/04/24 00:20:23, pjo wrote: > one too much indent Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:82: this.login = login; As mentioned by PJ, keeping it consistent with existing code. On 2014/04/24 04:00:38, mifern wrote: > If login can't be null, then you should have a precondition check. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:87: this.stsendpoint = stsendpoint; As mentioned by PJ, keeping it consistent with existing code. On 2014/04/24 04:00:38, mifern wrote: > If stsendpoint can't be null, then you should have a precondition check. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:92: if (Strings.isNullOrEmpty(stsendpoint) On 2014/04/24 04:00:38, mifern wrote: > These check are not needed if handled above. Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:121: = document.getElementsByTagNameNS("*","BinarySecurityToken"); On 2014/04/25 09:19:33, ondrejnovak wrote: > Why the asterisk? Why don't you use the exact namespace name. Done. Same connect applicable as in ADFS https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:141: String url = login; On 2014/04/24 04:00:38, mifern wrote: > url local variable is not needed. Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:147: String cookie = postResponse.getPostResponseHeaderField("Set-Cookie"); On 2014/04/24 04:00:38, mifern wrote: > Just return, no need for cookie local variable. Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:60: log.log(Level.WARNING, "Empty SAML Token."); As per discussion with PJ, I am changing code to throw IO exception that will not fallback to Windows Integrated Authentication. We are here because user wants to use Live authentication. On 2014/04/24 04:00:38, mifern wrote: > What would cause an empty token? Is there an error code? What action can the > user take? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:67: log.log(Level.FINE, "Authentication Cookie {0}", cookie); Logging @ FINE. Should be OK. On 2014/04/24 04:00:38, mifern wrote: > So it's OK to log the cookie but not the token? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:107: url = new URL(url.toURI().toASCIIString()); Again existing code. On 2014/04/24 04:00:38, mifern wrote: > I don't think this is right. You could lose some characters. Maybe you to encode > them using UTF-8. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:139: if (inputStream != null) { As per documentation Error stream can be null if there is an error but server dont have any data to report about it. On 2014/04/24 04:00:38, mifern wrote: > Can either the stream be null? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:450: // When running against ADFS authentication, set this to ADFS endpoint. On 2014/04/25 09:19:33, ondrejnovak wrote: > Can you add the defaults as comment here Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451: config.addKey("sts.endpoint", ""); On 2014/04/25 21:57:29, ejona wrote: > On 2014/04/25 20:58:44, ejona wrote: > > Should these new configuration values be prefixed with "sharepoint."? > > I was meaning "sharepoint.sts.endpoint". "sharepoint" would be there because > that is the adaptor you are providing configuration for. I'm not certain you > want the sharepoint there, but I would lean toward having it. Just something to > consider. Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:452: // When running against ADFS authentication, set this to relam value. On 2014/04/24 00:20:23, pjo wrote: > relam? is it a realm? Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:453: config.addKey("sts.relam", ""); On 2014/04/24 00:20:23, pjo wrote: > relam? Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:457: config.addKey("sharepoint.useLiveAuthentication", "false"); Noted down. On 2014/04/24 00:20:23, pjo wrote: > The sequence of attempted authentications, the sequence of > conditions and steps, will need to be carefully spelled > out in documentation. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:479: String stsrelam = config.getValue("sts.relam"); On 2014/04/24 00:20:23, pjo wrote: > if it is a realm then please change throughout Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:503: } else if (!Strings.isNullOrEmpty(stsendpoint) On 2014/04/25 20:58:44, ejona wrote: > stsendpoint and stsrelam will never be null. Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:504: && !Strings.isNullOrEmpty(stsrelam)) { yes. On 2014/04/24 04:00:38, mifern wrote: > Just stsendpoint and stsrelam being non-empty is enough for ADFS? https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:198: // When running against ADFS authentication, set this to ADFS endpoint. On 2014/04/25 09:19:33, ondrejnovak wrote: > Can you put here the defaults as comments Done. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:200: config.addKey("sts.relam", ""); On 2014/04/24 00:20:23, pjo wrote: > realm? throughout Done.
Sign in to reply to this message.
As per recommendation by PJ, we can remove isFormsAuthentication method. Even though actual code changes are small, need significant changes in unit tests. As this CL is getting larger and complex, I will send follow up CL for removing isFormAuthentication.
Sign in to reply to this message.
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:107: url = new URL(url.toURI().toASCIIString()); On 2014/04/24 04:00:38, mifern wrote: > I don't think this is right. You could lose some characters. Maybe you to encode > them using UTF-8. Take a look at the toASCIIString() documentation. It converts Unicode characters to UTF-8 encoded bytes that are %-encoded. So it actually maintains Unicode characters. This code actually is to support Unicode, because Java is broken and will send Unicode characters as text instead of %-encoded, which is a huge no-no.
Sign in to reply to this message.
LGTM. Thank you. Please: (1) fix these nits (2) double check that not logging sensitive info (3) double check no "relam" anywhere Say if you'd like another look. https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:201: String extractToken(String tokenResponse) throws IOException { private or Visible for testing? https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:52: public class AdfsHandshakeManager implements SamlHandshakeManager { annotate with javadoc https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:217: throw new IOException("ADFS token not available in response"); Consider only throwing. https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:219: Node responseToken = nodes.item(0); we know it's the first one? https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:221: log.log(Level.FINER, "ADFS Authentication Token {0}", token); Is this OK to log? https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/FormsAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/FormsAuthenticationHandler.java:65: abstract boolean isFormsAuthentication() throws IOException; Put TODO to remove it. https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java (right): https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:94: || Strings.isNullOrEmpty(login)) { i think fits on one line https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:132: log.log(Level.FINER, "Live Authentication Token {0} namespace = {1} ", new Object[] {token, n.getNamespaceURI()}); split this line https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:72: authenticationHandler.samlClient = samlClient; pass as ctor parameter https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:80: remove blank line https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:81: log.log(Level.FINE, "Fetching SAML Token using {0}", samlClient); Does samlClient have a good toString()? https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:89: log.log(Level.FINER, "Authentication Cookie {0}", cookie); Should we log the cookie? https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java (right): https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:454: // When running against ADFS authentication, set this to relam value. s/relam/realm/ https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointFormsAuthenticationHandler.java (right): https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointFormsAuthenticationHandler.java:71: authenticationHandler.authenticationClient = authenticationClient; pass to ctor https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... File src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java (right): https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise... src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:200: // When running against ADFS authentication, set this to relam value. s/relam/realm/ https://codereview.appspot.com/83730043/diff/120001/test/com/google/enterpris... File test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java (right): https://codereview.appspot.com/83730043/diff/120001/test/com/google/enterpris... test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java:257: username, password, new ScheduledThreadPoolExecutor(1), manager).build(); over80 https://codereview.appspot.com/83730043/diff/120001/test/com/google/enterpris... File test/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManagerTest.java (right): https://codereview.appspot.com/83730043/diff/120001/test/com/google/enterpris... test/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManagerTest.java:182: "username@domain", "password&123", new ScheduledThreadPoolExecutor(1), manager).build(); over80 https://codereview.appspot.com/83730043/diff/120001/test/com/google/enterpris... File test/com/google/enterprise/adaptor/sharepoint/SharePointAdaptorTest.java (right): https://codereview.appspot.com/83730043/diff/120001/test/com/google/enterpris... test/com/google/enterprise/adaptor/sharepoint/SharePointAdaptorTest.java:2093: public <T extends EndpointReference> T getEndpointReference(Class<T> clazz) { over80
Sign in to reply to this message.
|